We have an OAuth flow in our application and we're performing the "authorisation step" by opening ASWebAuthenticationSession. When it completes, we parse out the query parameters from the callback URL, validate, and continue with the rest of the flow.
This works great with deep links (custom app schema), but becomes very "flaky" when using universal links.
From what I can gather, it looks like Safari verifies every navigation and determines whether it should trigger a universal link based on some heuristic. It'll be fine in about 50% of the attempts, but in the other 50% a regular navigation occurs and the user is just presented with our oauth callback URL (plus the corresponding successful or unsuccessful query parameters), leaving the ASWebAuthentication modal open.
Has anyone ever experienced anything like this? Any idea what could be causing this?
We tested/checked:
Using https as the callback URL scheme, or leaving it nil.
Redirecting back to a URL with a path.
Verified our universal link handling.
Compared all navigations (status codes, headers, anything) for differences between successful and unsuccessful flows. Nothing.
Dug through console logs.
Switched to performing OAuth against google as a backend, still fails 50% of the time.
Switched to using AppAuth instead of using our own solution. It also uses ASWebAuthSession and still fails 50% of the time.
